EU fines Meta $1.3 billion for transferring user data

In a groundbreaking move, the European Union has slapped Meta, the parent company of Facebook, with a record-breaking fine of $1.3 billion, reported by The Washington Post. This hefty penalty comes as a result of Meta’s violation of EU privacy laws by transferring user data from Europe to the United States. The ramifications of this ruling are far-reaching, potentially affecting numerous American businesses operating within the EU.

The Irish Data Protection Commission, responsible for overseeing data privacy in the EU, ordered Meta to halt all transfers of personal data belonging to users in the EU and the European Economic Area, including non-EU countries such as Iceland, Liechtenstein, and Norway, to the United States. The commission concluded that Meta’s data transfers violated the General Data Protection Regulation (GDPR), which sets strict limits on companies’ utilization of individuals’ personal data.

Critics of the ruling argue that it exacerbates the legal uncertainties faced by companies engaged in cross-border data transfers. These transfers are integral to various business operations, enabling tasks like international collaboration and fulfilling global customer orders. Industry representatives fear that the ruling sets a dangerous precedent that could adversely impact companies transferring data between the EU and the US.

Meta’s President of Global Affairs, Nick Clegg, and Chief Legal Officer, Jennifer Newstead, expressed their disagreement with the fine, calling the decision flawed, unjustified, and warning of its potential ramifications. However, they emphasized that Facebook’s operations in Europe would not experience immediate disruption.

This latest development is part of a long-standing struggle to reconcile American consumer data laws with the more stringent European regulations aimed at safeguarding online privacy and security. In 2020, the Court of Justice of the European Union invalidated the commonly used data protection agreement known as Privacy Shield, prompting many companies to reassess their approaches to storing and collecting European customers’ data. Some companies believed they could continue transferring data across borders lawfully by utilizing an alternative mechanism called Standard Contractual Clauses.

To provide clarity and legal certainty for companies engaging in cross-border data transfers, industry groups and businesses have been urging officials to approve a new EU-US Data Privacy Framework. European Commission spokesperson Christian Wigand expressed optimism that the framework would be in place by the summer, offering stability and strong privacy protections for individuals while meeting companies’ needs.

While awaiting the implementation of the new framework, companies will likely rely on existing standard contractual clauses, subject to evaluation by EU regulators on a case-by-case basis. Aaron Cooper, Vice President of Global Policy at BSA the Software Alliance, stressed the significance of the privacy framework’s prompt approval, as it would provide certainty for both companies and individuals engaging in data transfers and underpin job opportunities in various sectors of the economy.

Peter Swire, a privacy and cybersecurity expert at the Georgia Institute of Technology, highlighted that the United States needs to make certain changes under the privacy framework before official approval can be granted by the EU. Meanwhile, the fine imposed on Meta by the Irish Data Protection Commission raises concerns about the safeguards in place when other companies rely on similar standard contractual clauses for data transfers.

The U.S. Chamber of Commerce’s Senior Vice President for International Regulatory Affairs and Antitrust, Sean Heather, echoed the urgency of implementing the new privacy framework to address the legal uncertainties stemming from the Irish Data Protection Commission’s fine against Meta. Restoring data flow certainty between the US and the EU is crucial, as it supports transatlantic economic ties, society, and international cooperation.

Meta has faced regulatory scrutiny regarding its privacy practices for over a decade, including investigations by the Federal Trade Commission in the United States. While the recent $1.3 billion fine is significantly smaller than the $5 billion settlement reached by Meta and the FTC in 2019 over alleged mishandling of user data, it exemplifies how government penalties can have substantial consequences for companies beyond financial impact.

Under the FTC settlement, Meta was required to conduct privacy reviews for every new product or service change, document their impact on users, undergo third-party privacy audits for two decades, and establish compliance officers and a dedicated privacy committee within its board of directors. Similarly, under the recent ruling, Meta has been given five months to develop a system to halt future transfers of personal data to the United States and six months to cease the unlawful processing and storage of EU/EEA users’ personal data in the US.

The inquiry into Meta’s data-sharing practices began in August 2020, leading to the conclusion that Meta violated Article 46(1) of the GDPR, which permits tech companies to transfer personal data from the EU to third countries or international organizations if appropriate safeguards and enforceable data subject rights are ensured. The commission found that Meta violated this article by continuing to transfer personal data from the EU/EEA to the US after the Court of Justice of the European Union invalidated the Privacy Shield agreement in 2020.